"adrian(a)jboss.org" wrote : The default implementation using system properties | http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html | won't understand the vfs urls because the VFS code isn't even in the classpath | when the server boots and reads the file. My understanding may well be flawed, but when I was researching this for secure classloading in Remoting, my conclusion was that the URLs need not be resolvable at load time; rather they are somehow compared against the ClassLoader's CodeSource (by way of the ProtectionDomain used to load each class) at the time the permission is checked, or possibly at the time the class is loaded. I think that as long as the VFS classloader is properly configuring the ProtectionDomain when loading classes, including the proper VFS URL for each class (using one of the ClassLoader.defineClass() methods which accepts ProtectionDomain), it should Just Work, even with the default policy. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4181035#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...